具有OpenId的Oauth2连接
[英]Oauth2 with OpenId connect
问题描述
I am asking you today because I am at a dead end. 
我今天要问你,因为我处于死胡同。 I have missed piece in the logic of Oauth2 and OpenID connect in apigee. 我错过了Oauth2和OpenID在apigee中连接的逻辑。
I understand that an application request Openid connect to have the profile of the loggedin user and that OAuth2 offers a way for an application to access a protected resource via an access token. 我了解到,应用程序请求Openid连接后具有登录用户的个人资料,并且OAuth2为应用程序提供了一种通过访问令牌访问受保护资源的方法。
Now we take a scenario where a protected resource needs to verify that the logged in user is himself that has taken the authorization token, is this illustration that I have done here is good or I make things complicated? 现在,我们采取一种方案,其中受保护的资源需要验证已登录用户是否是获得授权令牌的本人,我在此处所做的图示是否不错,还是使事情变得复杂了?
1 个解决方案
解决方案1
2 已采纳 2017-12-02 20:42:12
From my understanding, what you have missed is the introspection endpoint . 根据我的理解,您错过的是自省端点 。
This endpoint is designed for resource servers. 该端点是为资源服务器设计的。 It allows them to get details about the access token used by the client. 它允许他们获取有关客户端使用的访问令牌的详细信息。 If the access token is active, you will receive claims about it and especially the sub claim that represents the resource owner (ie the user in your use case). 如果访问令牌是活动的,您将收到有关它,尤其是索赔sub声称代表资源拥有者(即在您的使用案例的用户)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.